NSA and GCHQ have broken internet encryption, created backdoors that anyone could use

Share This article

This is the big one: New documents released by Edward Snowden show that the NSA and its British equivalent, GCHQ (pictured above), have cracked VPNs, SSL, and TLS — the encryption technologies that keep your data secure on the internet. The NSA program, dubbed Bullrun, took 10 years to crack the web’s encryption technologies, before finally reaching a breakthrough in 2010 that made “vast amounts” of previously unreadable data accessible. Perhaps more worryingly, the NSA has an ongoing program to place backdoors in commercial products (websites, routers, encryption programs, etc.) to enable easy snooping on encrypted communications. The documents, which contain some choice phrases such as, “work has predominantly been focused this quarter on Google due to new access opportunities being developed,” almost completely undermines the very basis of the internet, obliterating the concept of trust online.

The documents outline a three-pronged plan to ensure the NSA can access the bulk of the internet’s encrypted traffic: Influencing the development of new encryption standards to introduce weaknesses, using supercomputers to break encryption, and collaborating with ISPs and tech companies to gain backdoor access. Unfortunately, the documents don’t outline exactly how the NSA and GCHQ broke the security of VPNs, SSL, and TLS, only that they have successfully done it. There are numerous possibilities, with the two simplest being that the intelligence agencies have either obtained the root certificates used to sign private keys, or they’ve found a flaw in the standards that can be easily exploited — perhaps using a flaw that they themselves introduced into the standard.

A slide detailing the successes of the NSA and GCHQ programs to break internet encryption

The final point, that the NSA has been lobbying ISPs and tech companies to include backdoors in their products, is the most chilling. These backdoors might consist of hardware-level access (say, in your home router or a big router at your ISP) that allows the NSA to log in and spy on any data that passes through. These backdoors might be the NSA working with major tech companies, such as Microsoft or Facebook, to deliberately introduce flaws into the encryption tech so that the NSA can easily crack it. (A previous leak pegged Microsoft as helping the NSA circumvent encryption used by Outlook.com and IM services.) The main thing, though, is that these commercial entities are working with, not against, the NSA to introduce these backdoors.

At first blush, in the words of the NSA itself, these decryption programs are the “price of admission for the US to maintain unrestricted access to and use of cyberspace.” The problem is, by deliberately introducing security flaws, the NSA and GCHQ have obliterated the concept of trust online. The whole point of VPNs and TLS is that they are impossible to crack — at least within a reasonable time frame. We now know that our secure communications can be easily snooped on by the government — but more importantly, due to this plethora of backdoors, we can’t be sure that only the government is listening in. That’s the problem with a backdoor: It’s great while you’re the only one who knows about it, but it’s game-breakingly awful if someone else — an enemy government, for example — stumbles across it. (See: XKeyscore: The NSA program that collects ‘nearly everything’ that you do on the internet.)

This diagram shows how GCHQ proposed to identify, intercept, and decrypt encrypted traffic in near-real time.

For years the security industry has speculated that the internet was riddled with NSA backdoors, and now it seems we have confirmation. It would be foolish to assume that these backdoors haven’t been exploited by other, “non-authorized” entities. If you require private and secure communications, now would be the time consider your alternatives. (Have you ever thought about physically exchanging thumb drives?) Ideally, if the cryptographic systems behind VPN, SSL, and TLS have been broken (3DES, AES, etc.) then work needs to begin on new industry-standard ciphers. This would likely take years.

For a lot more information on the NSA and GCHQ’s sigint (signals intelligence) operations, hit up the Guardian. I can’t say that I’m really surprised, but it’s still a bit depressing to see the terrifying extent of their sigint operations laid bare — and moreover, I guarantee that, due to the higher levels of classification that Snowden couldn’t access, this is still just the tip of the iceberg.

I am thinking of moving to a farm with zero communication facilities. I will produce small amount of electricity for my electronics and I will possibly use cash.

The only thing is that I am not sure whether I can still continue my research and work. I will possibly use a university network a few times a year to download new papers in my field and back to the cave (the free world in fact). I can still earn money by designing electronics and developing software.

http://www.cardinalphoto.com David Cardinal

Sounds a bit like living in an Amish community. Electrics are okay as long as they’re not tied to the grid.

Glenn Scott

I’m still conflicted on this.

Back in the day, they would tap phones to try and get intelligence on what was going on, Put listening devices in an area where they suspected certain activity or send in someone to try and get information.

Nowadays, it’s the internet where all of the information flows. I can understand them wanting to be able to tap into a Skype call with someone from Pakistan who might be on a watch list. I can see a point in being able to see/read/hear what is going on across a VPN connection with a known terrorist organization in Saudi Arabia.
I can even see a point of cracking all communication, so they can scan for keywords and follow up.
I can see the point of it, but I do not necessarily agree with it.
I do things on the internet for my job. I do things that require encryption and VPN’s for a reason. If the NSA is able to crack those, who’s to say someone else can’t?
If I cannot trust that the things I want to keep confidential on the internet cannot be kept confidential…well…that’s a problem.

http://www.cardinalphoto.com David Cardinal

The weakening of the data security of US companies in the wake of growing cybercrime/cyberterrorism threats is particularly shameful to me. It is getting the priorities way wrong. And doing it all in secret, rather than as a matter of public policy & debate is definitely undemocratic.

Techutante

Weaken the entirety of the internet to stop a couple kids with pipe bombs.

Angel Ham

Actually, the true priority is to stop kids from illegally downloading Hollywood movies. Terrorists and pedophiles are just an afterthought.

wmac

What was the definition of democracy (western version specifically) again?

Cinekpol

Something that so-called “defenders of democracy” long forgotten.

m0r1arty

I’m just waiting to hear how it was all funded by the entertainment industry as a means to crack down on piracy and I’ll be laughing my socks off!

Daniel Revas

I thought that the asylum deal Snowden got was contingent on him not releasing any more documents? The Cold War rages on!

http://www.cardinalphoto.com David Cardinal

Daniel–Yes, that is how the deal has been reported. Except that Snowden apparently got a copy of many thousands of the documents he had to reporters before taking the deal. So now they can be dribbled out. I suspect at least part of (a copy of) that cache was what the friend of Greenwald’s detained in UK was carrying around with him.

Daniel Revas

The U.K. seems to have taken aggresive action to try to limit further dissemination of those files, as you noted with the detention of Greenwald’s associate. (The British government also has more power to control what is published under their Secrets Act.) You are also correct about the fact that we don’t know how many groups or individuals he gave copies to. But do we know where THESE documents actually originated? Greenwald was pretty bold originally in taking credit for breaking the story. He hasn’t been as “vocal” lately. I actually do read the Guardian, so I’m not speculating on that score.
As an old Kremlin watcher, who ironically has a Son who is engaged to a Russian girl, I think you have to consider that Putin is ex-KGB, and isn’t particularly happy with us right now. It isn’t a stretch to believe that giving Snowden asylum in the first place was to get their hands on that Data for there own purposes.
Historically, the Russians have been very good at that kind of thing.

vlackrs

Dear god…. Pandora’s box open….

mori bund

The land of the free…

XenoSilvano

…and the land of brave.

You know what that means right(?) It’s time to put the government back to its rightful place. *Click Click, Bang Bang* – You get what I’m sayin’?

XenoSilvano

This sort of commentary is going to end my up in some FEMA camp.

Michael Scoffield

I actually agree. You now need to be careful what you say/write online
cause a few bad words against government agencies and you might find
yourself on some death camp. I know I’m scared not to say something and
I’m not even American. I do know plenty of cases when the FBI arrested
people outside of America.

XenoSilvano

It’s such a disheartening feeling when you come to the realization of what sort of world we really live in as apposed to the one that we’ve been deceived into believe through our entire lives, we’ve been told so many lies.

ando35

Yeah, not knocking you but you are better off not speaking in such terms.. They are getting to the point where they go interview people who talk online.. Even when it is obviously just talk and venting.

XenoSilvano

This is all disturbing to say the very least.

Its more than clear now who really owns the country and its certainly not the people, we’re all nothing but a bunch of pawns.

We’re all living the central philosophies behind The Matrix film series, essentially.

ando35

Yup, I think that America is declining in every way. I feel like you could mark it with 9/11 and the economic collapse. And then suddenly things got weirder and weirder, from crime to politics to culture.

But definitely headed towards less free.

mori bund

BTW: good to see that the bullying of the British government doesn’t stop the Guardian from exposing the truth.

earlfrumkin

johnny mnemonic

Eric

Having held a TS clearance and worked in an IT DOD
environment, I can tell you that the mindset of most of the people involved in
operations like this is not really what you would think. Its almost like these
people think they are entitled/empowered to spy on whoever they need to, simply to obtain the information they need to meet their intelligence missions. In their
sphere, coming up with these vulnerabilities is a golden ticket for stellar
reviews and promotions… which simply equals a larger take-home pay. The guy/gal sitting in a cubicle at the NSA doesn’t stop to think about the moral implications of their work. I would venture to say their training and tasking is simply to break into things, not to ask whether its legal or acceptable. There is
also the mindset of “I am just doing my job” and why would I speak
up, as it will ruin my career and I need to put food on the table for the
family. There are so many programs out there to gather intel… very few would
pass public scrutiny; just saying. Think about this: Traffic fatalities in
alcohol-related crashes were 17,448 in 2001. 3547 people were killed by
terrorism in 2001. There are far more risks to your person/family in your life-time than terrorists. It just sucks there is a lot of money to be made off selling that fear to the public.

Robert Foy

This. We have lost over 80000 people to guns in this country since 911…yet we fight tooth and nail to keep our “rights” to carry firearms…yet we bend over and take it in the ass on a daily basis to protect against “terrorists”.

I am starting to think this country deserves the shit it’s getting, if this country lives in fright because of religious subhumans, if they just give up their rights over non sense, all in the name of “comfort and security”, then they don’t deserve freedom.

I am a curmudgeon, and now my view is just being reinforced. Half this country doesn’t care, as long as they get to keep watching their low IQ reality shows while sitting on their fat asses, they don’t care.

Sorry for the negativity, but you all know I am correct. Hackers and internet frontiersman have been saying this was going to come, all in thanks to an act of terrorism. It’s not a conspiracy, just a acknowledgement of how pathetic people are and how they are cowards.

Eric

I agree with a lot of that, but I would rather be given the option to maintain my rights to keep arms in my house and not to spied on by my government… guns are what keep the government out our physical dwellings. Sadly, we don’t have anything (other than a constitutional amendment) to keep the same government out of our computers. As a U.S. citizen who volunteered 10yrs of his life to the military, having joined a month after 9/11…. I feel somewhat betrayed by all of these revelations. I also agree that we are all responsible for the sad state of affairs in this country… its our collective fault that we allowed our country to arrive in its current state of dysfunction… there is plenty of blame to go around for anyone that is of voting age.

Cinekpol

“guns are what keep the government out our physical dwellings” – there’s a high chance that US government is already in your house, or will be within few months.

Windows is known to have a backdoors that enable NSA to install any application in your system – including one that’s using your webcam to look into your house and use mics to record everything you say. All of the major cellphone operators agreed to provide full access to ‘silent’ streaming of everything your phone can hear. If you’ll buy Xbox One – it’s Kinect will have an ability so silently record everything in your room, create 3D maps of it and automatically recognize people in to room along with their activity patterns.
And so on, and so on.
Whatever you have a gun or not – it doesn’t matter. Heck – it even doesn’t matter if you are US citizen, as by a single order you can be removed of your citizenship and killed by a drone in next few minutes (practice that’s unthinkable in many other western democracies).
IMHO a right to keep the gun is only given to you so that you would have a false feeling of security.

I never thought I’ll live in Orwell’s 1984.

Eric

That argument still falls back into them being able to get into your computer/Xbox/internet-enabled devices… a decent majority of guns in American homes helps keep the government from going door-to-door to round you up should our democracy come tumbling down… to some degree. It also serves as a deterrent to any ground invasion of our mainland from potential adversaries. There’s a reason Japan/Germany never even attempted to land troops here in WWII.

Cinekpol

Hehe, I guess your second argument is completely valid and justified. As for the first one… well – it’s rather an abstraction, none of the western countries got any issues of that sort in modern history, and besides – in these days there are so many ways to subdue populations that having nearly half of it with firearms doesn’t really stop you from controlling them.
“Bread and Circuses” works in modern day as well as it worked in ancient Rome.

Eric

So true…

ando35

They don’t need to go door to door to round people up. People will go along with anything and never say jack. Most of them won’t even be aware that it is going on because they remain ignorant.

XenoSilvano

honestly, if any of our devices power on without any apparent reason then I think its time to get scared, especially when we’re fast asleep or away.

I used to drape a piece of cloth over my webcam whenever it were plugged into the computer, you never know whose prying eyes could get access to it.

John Pombrio

The stats are appalling about how many people shoot themselves or their family, relatives, or close friends with handguns. Hell, a thief has a 50% chance of getting your gun than you! I would not put a gun in my house before I would a bottle of cyanide. The gun is much more deadly.

ando35

Yeah, right. Let’s hear you say that when you wake up with some guy in your house at 4 AM.

Damon

all of this and yet the government still bitches about a single, simple program most on here have probably heard of… TrueCrypt….

Daniel Revas

Have been using it for a long time. Great for keeping prying eyes off of your Drives, but when you open your email…

Angel Ham

So.. Can we finally stop blaming the Chinese government now?

Jim

Two questions (tongue in cheek):
1. When I have a hard drive failure and lose data, can I call the NSA for the backup?
2. When my credit information is hacked because SSL is no longer secure, how quickly will NSA reimburse my losses? hahaha

Cinekpol

Just to clear up:
Neither NSA nor GCHQ have cracked anything. They inserted backdoors into the software.

If they’d crack these security mechanisms – it would be a concern, but not that horrible.

However for the money of tax payers they put at risk their business, interests and privacy. Deliberate backdoors are the worst thing possible – they enable ANYONE to access the data without any issues, possibly leading to losses of tens of billions of dollars.

These security mechanisms are used by everyone – from private people to financial institutions. And this means that anyone who stumbles upon any of these backdoors got a potential of changing the fate of world economies, blackmail people at will, or steal best-kept corporate secrets bringing down huge companies to their knees.

Whatever the motivations of NSA and GCHQ were – they basically put an unlimited supply of free atomic bombs in a middle of busy city hoping noone will care to look inside and detonate any of them.

So far it seems none have been detonated – but we don’t know how many are already in a hands of our potential enemies.

DannyBoyJr

“if the cryptographic systems behind VPN, SSL, and TLS have been broken (3DES, AES, etc.) then work needs to begin on new industry-standard ciphers.”

I would have to disagree with this. As Bruce Schneier pointed out, the math is still good but the code has been “subverted”. AES is still safe but the implementation by the big internet companies is questionable. Both Intel and AMD chips have AES instruction sets in their recent chips. We don’t know yet if these were compromised to weaken encryption. Bitlocker by Microsoft is wholly untrustworthy.

To be honest, I would still rely on AES for my data-at-rest encryption. It is fast, it is reliable, it has been cryptanalysed to death, and it seems unlikely that the NSA has found a practical attack against it. But if we must migrate away from AES, there is still Twofish and Serpent. There’s even Threefish but it hasn’t been scrutinized as much as the AES finalist ciphers.

ando35

I guarantee the next guy who comes up with that ends up in cuffs or in a freak accident.

Dean Roussel

Pigeons!

http://www.cardinalphoto.com David Cardinal

Okay, I hardly ever bother to up-vote comments (my bad), but I’d vote for yours twice if I could!

XenoSilvano

This blatant violation of our liberties gives me the impression that the battle has already been won even before it has been fought, they’ve already got everything on lock-down.

XenoSilvano

I don’t think society is so (a)pathetic that there won’t come a time when the people will be force to tip the balance, something is going to have to give.

grand_puba

People are busy with their day to day lives – health, work, kids, food, vacations, etc… for them, nothing has to give unless they precieve a threat to their “normal” activities. If you are looking for a clear tipping point, you are in for a dissapointment.

XenoSilvano

I feel at a loss for hope whenever I think about these sorts of things, it makes me wonder how on earth we’ll ever be able to stand-up against all this, the position we’re in right now is so disadvantageous, what hell we’re going to do.

grand_puba

Do not despair. Never despair :)

These are the nature of the things – it’s a tugging competition between the “elites” and the “people”. First, the best way to combat it is to educate yourself. I suggest you start by reading “The Prince” by Niccolò Machiavelli (here, it’s free! : http://www.constitution.org/mac/prince.pdf) It’s the ultimate book for understanding this tugging competition I’m talking about. LEARN THE FACTS.

Then, FORM YOUR OPINION but do it according to HUMAN EXPERIENCE and ACTUAL HISTORY – like the founding fathers of the US did!

Then, you can try to go at it alone OR you can look for other people like you who want to lead a LEGAL and EDUCATED change for the better and work with them :)

This is the essence of a western democratic republic – we can change the power structure for the better without bloodshed!

ummon

Sadly, I disagree. This isn’t 1984. This is A Brave New World.

Reginald Peebottom

This isnt news. Why are people surprised? The fact that the NSA has been able to crack or circumvent “standard” encryption schemes has been known for a while and reported for the last several years if anyone bothered to pay attention. Recall the EU complaining of industrial espionage by the US using ECHELON (which admittedly wasnt to circumvent encryption itself but this goes back a decade or more and clearly demonstrates the lengths the US was going to have an all seeing eye on everything) or FBI’s carnivore system that was used to mass monitor email traffic.

All Snowden did is update us as to what we should have already strongly suspected existed. Whats interesting is that Snowden only had access to only some of the secrets of electronic espionage. It makes you wonder whats truly cutting edge in the US arsenal.

The bottom line, though, is ‘who cares?’. Because “they” don’t, They dont care that you look at porn. They dont care if you download movies. This isnt about that and any talk about hollywood funding this is just the masturbatory fantasies of the paranoid. They want to know industrial secrets. They want to know what other governments are “thinking”. They want to keep tabs on true enemies of the state. They want to be able to attack those enemies both virtually and in reality with the information gained. They want to protect their own systems. If I lived in China or in other countries with few individual freedoms and without rule of law, i’d worry more. But if you live in the states, relax. Unless you’re up to something bad. Really bad.

Of course, if you’re really paranoid, you could just stop doing the things that are making you paranoid to begin with. But that’s just too easy.

John Pombrio

This was rumored YEARS ago. Pretty much everyone thought that when PGP came along, the NSA was no longer able to read stuff. Only the truly paranoid still thought that everything could be read these days ( you are one of them apparently). I never thought this was still possible and still have a hard time believing the hype here.

Spruce Cycle

If ur a judge or a judge’s son/policeman/high profile local or national personality it’s BLACKMAIL.

The NSA also uses their incredible spying resources to insider trade on Wall St.

As for the average person the heat will come to you when you apply for a job, apply for a mortgage, apply for any loan or even job promotion. You forget Mr. Defeatist that the NSA plays both sides, they often form information brokerages selling the collected data to third parties.

Also, with all this information collected it’ll be interesting when various “Real ID’s” make their appearance. What exact database will your new driver license be hooked into?

Enjoy ur new dystopia!

ando35

You are so full of it. Any power that the government has will eventually be ABUSED. That is why the constitution was designed to limit government power. It is a given that, in time, this will be used to get the leg up on foreign business, then it will be used to blackmail political opponents, supreme court judges and people who are critical of the government.

Your argument of “If you have nothing to hide” is null.

In every country where the government has unlimited power, they abuse it. Think El Salvador in the 80’s, Argentina in the 70’s or the Soviet Union in the 30’s.

John Pombrio

What is this now, 5 or 6 Snowden leaks? We only have about 2-300 hundred more to go!

zapper

Entire Internet is a Trojan Horse of US Military.
.
.
.

Spruce Cycle

DARPA has never lost control of its creation the internet; it has always served their purposes.

Spruce Cycle

You pseudo-techies put ur faith in technology: “onion routing”, “open source”, just like a Texas primitive puts it in Jeebus.

“It’s open source they’d be crazy to put a backdoor in there ppl would find it”, oh really? Your multi-billion dollar black budget of just this one intelligence agency produces its own science, while weakening ours; produces its own chips thru IBM, while insterting BIOS backdoors in ours; hides in plain sight, the EFF? Funded by major corporations that have spooks on the Board but because they’re “dedicated to online privacy, blah blah blah” u simpletons accept it a face value.

For chirssakes TOR is a creation of the ONI, who would put that shit on their computer? Onion routing and their catoonish diagrams of Alice, Bob and a bunch of arrows is nonsense; a normal person’s first assumption should be that the ONI would have every reason to backdoor it and allowing its successful use by drug dealers and child abusers are 1) stories planted by their assets in the media to publicize and educate targets about this new “anonymous medium” 2) give it credibility as a genuine “anonymous” network.

Whoevers shocked by these “revelations” (hardly new, allegations of these specific types go back years and intelligence spookery decades: Cointelpro, anyone?) has been willfully living in the bubble of blind faith bolstered by their own incuriosity and corporate owned blogs like this one.

In fact we should all be suspicious now as to what is the real reason the corporate media is fixating on (fake whitleblower) Edward Snowdens “revelations”.

Fact: most VPNs are located in DC.
Fact: most “anonymizing” products are created and put on the market by former spooks and who by the way are also information brokers see: anonymizer/Trapwire

Most of you are prolly white, middle class guys who’ve never had the boot on the neck so the idea that the American Gov’t is out of control, commits and has committed heinous human atrocities and says one thing and then does another is a source of befuddlement for you.

So I fully expect Snowdens “revealtions” to roll of your back, like water off a duck’s, and u pseud-techies to go back to “Dude, Ps4 is better!” “No, Xbox is, kinect is AWESOME!”

lucas1024

Fact: you don’t know what a VPN is.

Spruce Cycle

Says, you, the pseudo-techie.

Max

So this means that if the keys ever get into the wrong hands, which i am sure the NSA has probably already compromised, just how vulnerable is all of our data? I wonder if places like China, North Korea, or even Syria, could use these back doors and over run our own software and use it against us? Hmmmm? Thank goodness for Snowden, if it wasn’t for him, we wouldn’t know about just how dangerous a game the NSA is playing with all of our future!

http://www.cardinalphoto.com David Cardinal

Max — There is also something called “perfect forward secrecy” that dynamically creates new keys from the original public/private pairs. I believe Google uses this, for example. It is supposed to help prevent loss from the compromise of one of the private keys. It’s pretty new to me, but maybe some of our other readers can chip in on how effective it might be.

Mr Moo

What does this mean for the TOR network? have the US government figured out how to spy on that aswell?

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2015 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.